Do I need an authorised representative in the EU?

Article 18 allows you to appoint one by written mandate. It is not strictly mandatory, but recommended if you have no EU presence. Your authorised representative can hold your Declaration of Conformity and technical documentation for EU market surveillance authorities.

Which conformity assessment applies to most IoT devices?

Most IoT devices that do not fall under Annex III or IV are classified as Default products. Default products use Module A (self-assessment) per Annex VIII Part I. No notified body is required. You assess internally and declare conformity. CRACheck guides you through this process.

Can I generate documentation in English for all EU markets?

The technical documentation under Annex VII can be prepared in English. However, Annex II user information must be provided in a language easily understood by users in the destination market. CRACheck generates documentation in English; you may need to translate the user-facing Annex II portion for specific markets.

What if our device has very limited processing power?

The CRA applies to any product with digital elements per Article 3(1). Constrained devices are not exempt. However, Annex I essential requirements are applied proportionally — "where applicable" qualifies several requirements. CRACheck's questionnaire accounts for device constraints and structures documentation accordingly.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation is amended?

Regenerate at no additional cost during licence validity.

You manufacture IoT devices in Southeast Asia and sell them to buyers in the European Union. It does not matter whether your factory is in Indonesia, the Philippines, Cambodia, or Myanmar — Regulation (EU) 2024/2847 applies to the product, not to the manufacturer's location. Every connected device on the EU market needs cybersecurity documentation under Annex VII by 11 December 2027. CRACheck generates it.

The Cyber Resilience Act does not have geographical exemptions. A connected sensor manufactured in Jakarta faces the same documentation requirements as one made in Munich. Article 2(1) applies to any product with digital elements placed on the EU market — a direct or indirect data connection to a device or network is sufficient. If your IoT devices contain firmware, connect via WiFi, Bluetooth, LoRa, or cellular, and reach EU buyers through any channel, you need an Annex VII dossier. CRACheck generates 8 documents in 15–25 minutes. €149 per device type. All processing happens in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 2(1)

Applies to any product with digital elements on the EU market

11 Dec 2027

Full enforcement deadline

€149

Per device type, one-time

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Classify your IoT device

CRACheck determines if it is Default or Important under Annex III based on its function and connectivity

Enter device specifications

Sensor type, connectivity protocol, firmware version, data handling, power management, user interaction

Map cybersecurity features

How your device meets Annex I requirements: authentication, encryption, secure update, data minimisation, secure defaults

Document vulnerability handling

Your process for identifying, patching, and disclosing firmware vulnerabilities

Define support period

At least 5 years of security updates from market placement, or expected device lifetime if shorter (Art. 13(8))

Generate the 8-document dossier

Structured per Art. 31 + Annex VII for your specific device category

Provide to your EU buyer

The dossier supports their importer verification under Article 19

Common mistakes

❌

SIZE EXEMPTION MYTH

"We are a small company — the CRA targets large manufacturers"

Regulation (EU) 2024/2847 applies based on product type, not company size. A connected sensor from a 20-person company in Manila faces the same essential cybersecurity requirements (Annex I) as one from a multinational. Article 13 does not scale obligations by company revenue. The regulation applies equally to all manufacturers who place products with digital elements on the EU market.

❌

B2B ONLY ASSUMPTION

"We sell to system integrators, not end consumers — the CRA does not apply"

Article 2(1) covers products made available on the EU market through any channel. B2B sales to EU-based integrators, distributors, or OEMs are within scope. Your IoT sensor sold to a European smart building integrator is placed on the EU market at the point of that B2B transaction.

❌

LOW-VALUE EXEMPTION

"Our devices cost under €10 — CRA compliance is disproportionate"

The CRA does not set minimum product value thresholds. A €5 connected sensor with firmware has the same documentation obligations as a €500 gateway. The proportionality principle applies to penalty calculation (Art. 64(6) considers the size of the undertaking), not to documentation obligations.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Evaluates your IoT device against Annex III categories. IoT gateways may qualify as network management systems (Class I, item 6). Sensors with security functions may match other categories. Default devices use Module A self-assessment.

Technical Documentation

Art. 31 + Annex VII dossier for your IoT device: hardware and firmware design, connectivity, security architecture, production controls.

Risk Assessment

Annex I Part I analysis for IoT devices: remote exploitation, data interception, firmware tampering, battery-powered device constraints on security updates.

User Information

Annex II documentation: deployment guide, security configuration, update instructions, data handling transparency, support period, end-of-life procedure.

Declaration of Conformity

Art. 28 + Annex V. Your EU buyer needs this before market placement.

CVD Policy

Vulnerability disclosure for IoT devices: reporting channel, acknowledgement timelines, patch distribution, coordination with downstream users.

Notification Template

Art. 14 ENISA notification for actively exploited vulnerabilities in your IoT devices. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Enforcement timeline, support period, update milestones.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 INTERNATIONAL REGULATORY CONSULTANCY

$8,000–$18,000

6–14 weeks. Few consultants cover Southeast Asian manufacturers for EU cybersecurity regulation. Requires remote engagement and document translation. Output: generic compliance report.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history